b"                                      SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   September 22, 2006                                                                Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Assessing Social Security Administration\xe2\x80\x99s Efforts to Protect Sensitive Information\n        (A-14-07-27068)\n\n\n        The attached report summarizes our assessment of the Social Security Administration\xe2\x80\x99s (SSA)\n        actions taken to protect sensitive information, as required by the Office of Management and\n        Budget (OMB) Memorandum M-06-16, Protection of Sensitive Agency Information.\n        OMB M-06-16 requires the Office of the Inspector General to perform a review of SSA\xe2\x80\x99s efforts\n        to comply with the requirements specified in the memorandum.\n\n        Based on our assessment, SSA has taken a number of steps to comply with the requirements of\n        OMB M-06-16. We believe the observations outlined in our report will assist SSA management\n        in strengthening its security program to better protect the Agency\xe2\x80\x99s Personally Identifiable\n        Information. Please comment on corrective action taken or planned on each recommendation. If\n        you wish to discuss the final report, please call me or have your staff contact Steven L.\n        Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                            S\n                                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0cAssessing Social Security Administration\xe2\x80\x99s\n Efforts to Protect Sensitive Information\n\n\n\n\n          September 2006       A-14-07-27068\n       Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xc2\x83   Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xc2\x83   Promote economy, effectiveness, and efficiency within the agency.\n   \xc2\x83   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xc2\x83   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xc2\x83   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n   \xc2\x83   Independence to determine what reviews to perform.\n   \xc2\x83   Access to all information necessary for the reviews.\n   \xc2\x83   Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 22, 2006                                                                              Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Assessing Social Security Administration\xe2\x80\x99s Efforts to Protect Sensitive Information\n        (A-14-07-27068)\n\n\n        OBJECTIVE\n        Our objective was to assess the Social Security Administration\xe2\x80\x99s (SSA) actions to ensure that\n        Personally Identifiable Information (PII) is safeguarded in accordance with the Office of\n        Management and Budget (OMB) Memorandum M-06-16, Protection of Sensitive Agency\n        Information.\n\n        BACKGROUND\n        In response to numerous incidents involving the compromise or loss of sensitive personal\n        information, OMB issued several memoranda to provide Federal agencies guidance on the\n        protection of PII entrusted to them.\n\n        OMB defined Sensitive PII as:\n\n                   \xe2\x80\xa6any information about an individual maintained by an agency, including, but\n                   not limited to, education, financial transactions, medical history, and criminal or\n                   employment history and information which can be used to distinguish or trace an\n                   individual's identity, such as their name, social security number, date and place of\n                   birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\n                   information which is linked or linkable to an individual. 1\n\n        Information systems can be either electronic or manual.\n\n\n\n\n        1\n            OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\n            Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nOMB issued Memorandum M-06-16, on June 23, 2006. The Memorandum specifies measures\nthat agencies need to have in place to ensure protection of sensitive remote information 2 by\nAugust 7, 2006. 3 M-06-16 requires Federal agencies to comply with the Security Checklist\nprovided by National Institute of Standards and Technology (NIST) and recommends four\nadditional actions that agencies should take for the protection of remote sensitive information.\nThe intent is to compensate for the lack of physical security controls when information is\nremoved from, or accessed from outside the agency location.\n\nThe security controls and assessment procedures in the NIST Security Checklist were taken from\nNIST Special Publication 800-53, Recommended Security Controls for Federal Information\nSystems, February 2005 and NIST Special Publication 800-53A, Guide for Assessing the Security\nControls in Federal Information Systems (Second Public Draft), April 2006. The controls and\nassessment methods/procedures in the checklist are a subset of what is currently required for\nmoderate and high impact information systems.\n\nSCOPE AND METHODOLOGY\nOur work was limited to assessing SSA\xe2\x80\x99s efforts to protect sensitive information as prescribed by\nOMB Memorandum M-06-16. To meet our objective, we interviewed appropriate Agency staff\nand reviewed relevant Agency policies and procedures and controls\xe2\x80\x99 documentation. We used\nthe review guide and the Data Collection Instrument developed by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency/Executive Council on Integrity and Efficiency. See Appendix B for\nmore details on our Scope and Methodology.\n\nSUMMARY OF RESULTS\n\nOur assessment showed that SSA has taken a number of steps to comply with OMB\nMemorandum M-06-16 requirements. Based on our assessment, we found that the Agency has\ntaken the following actions to protect its sensitive personal information;\n\n\xe2\x80\xa2      SSA has initiated projects to encrypt all laptop computers and mobile devices.\n\xe2\x80\xa2      On June 6, 2006, SSA\xe2\x80\x99s Chief Information Officer (CIO) issued a message to all SSA\n       employees, contractors and Disability Determination Service employees to remind them of\n       their responsibilities to properly safeguard PII entrusted to them.\n\xe2\x80\xa2      SSA has also created a web page Safeguarding Personal Information, where PII is defined\n       and PII protection issues are discussed.\n\xe2\x80\xa2      SSA computers and applications are set to time out after 15 minutes of inactivity.\n\n\n\n\n2\n    Remote information is information that is either accessed remotely or physically transported outside of the\n    agency\xe2\x80\x99s secured, physical location.\n3\n    OMB Memorandum M-06-16, Protection of Sensitive Agency Information, page 1, June 23, 2006.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\nSSA continues to make progress in the protection of the PII. However, to fully comply with\nOMB Memorandum M-06-16 and to better protect remote PII, SSA needs to improve in the\nfollowing areas:\n\n                \xe2\x80\xa2      SSA policy for the protection of PII;\n                \xe2\x80\xa2      Encryption of removable media;\n                \xe2\x80\xa2      Encryption of sensitive data on mobile computers and devices;\n                \xe2\x80\xa2      Two-factor authentication when remotely accessing PII; and\n                \xe2\x80\xa2      Logging data extracts.\n\nSSA Policy for the Protection of PII\n\nSSA\xe2\x80\x99s information security policy is documented in its Information Systems Security Handbook\n(ISSH). During our review, we identified Agency policies and procedures regarding the\nprotection of PII. For example, the memorandum issued by the CIO states \xe2\x80\x9cMainframe access\nfrom the alternate duty station for those employees on flexiplace is prohibited.\xe2\x80\x9d However, a\nnumber of important points in OMB Memorandum M-06-16 are not addressed. For example,\nSSA does not explicitly state whether downloading of PII is allowed. Also, the policy does not\nclearly state what remote access methods should be used. To comply better with OMB\nMemorandum M-06-16, SSA needs to revise and consolidate its security policy.\n\nEncryption of Removable Media\n\nOMB Memorandum M-06-16 recommends encryption for PII being transported and/or stored\noffsite. 4 SSA routinely sends its systems and data back-up tapes to off-site storage facilities\n(OSSF). There are about 20,000 tapes stored at its primary OSSF which contain PII. Currently,\nthese tapes are not encrypted before they are sent for off-site storage. However, there are\nnumerous compensating controls to protect these tapes such as storage in a secured vault, guards,\nand video monitoring. SSA is also in the process of evaluating an off-site data encryption\nsolution to address this issue. In addition, SSA has implemented stringent physical security\ncontrols to protect these tapes during transportation to and within the storage facility.\n\nEncryption of Sensitive Data on Mobile Computers and Devices\n\nOMB Memorandum M-06-16 recommends encryption of all data on mobile computers and\ndevices that carry sensitive agency data. 5 SSA has actively pursued the encryption of data on all\nmobile devices and has initiated a project to encrypt the hard drives of all laptop computers. All\nnew laptops should have been encrypted by August 31, 2006 and all older laptops should be\nencrypted by October 31, 2006. In the future, SSA plans to decommission unencrypted laptops.\n\nAdditionally, SSA\xe2\x80\x99s Outlook Web Access (OWA) enables employees to access their SSA\nmailboxes from any computer which has Internet access. Employees can use their home\n\n4\n    OMB M-06-16, supra at page 1 and 6.\n5\n    Id.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\ncomputers to obtain full access to e-mail attached files through OWA. Although SSA requires\npassword protection for such files, it does not ensure files containing PII are encrypted. SSA is\nworking on a solution that will increase the security of data accessed through OWA. See section\non two-factor authentication.\n\nTwo-Factor Authentication When Remotely Accessing PII\n\nOMB Memorandum M-06-16 recommends that agencies allow remote access only with two-\nfactor authentication where one of the factors is provided by a device separate from the computer\ngaining access. 6 SSA employees can access PII remotely through two methods, a virtual private\nnetwork (VPN) and OWA. SSA\xe2\x80\x99s VPN can only be used on SSA computers configured to use\nSSA\xe2\x80\x99s VPN. The VPN technology uses two-factor authentication method: Smartcard (separate\nfrom the computer gaining access) and a password.\n\nTo access OWA, an individual uses his/her SSA network Personal Identification Number and\npassword. However, the Office of Telecommunications and Systems Operations is developing\nand testing improved authentication methods to meet the requirements set forth by OMB\nMemorandum M-06-16.\n\nLogging Data Extracts\n\nOMB Memorandum M-06-16 recommends that agencies \xe2\x80\x9clog all computer-readable data\nextracts from databases holding sensitive information and verify each extract including sensitive\ndata has been erased within 90 days or its use is still required.\xe2\x80\x9d 7 SSA acknowledged that it has\nnot logged all of its data extracts nor verified that they were erased within 90 days.\n\nSSA stated that this OMB recommendation poses a significant business concern and has serious\nimplications for many existing SSA business processes. SSA routinely and extensively extracts\ndata from its databases that contain PII and shares this information with both internal and\nexternal entities. Internally, SSA components use the data extracts within the organization for its\ncore business processes and various reviews. Externally, SSA provides data extracts to other\nFederal, state and local government partners and trusted-third parties to assist in cross-agency\nprogram delivery and coordination.\n\nDue to the large number of the data extracts created daily, SSA stated that it cannot log and track\nthis information in accordance with OMB Memorandum M-06-16. However, the Agency has\nother compensating controls to protect the PII contained in the data extracts. They include\naccess controls, certain logging activities, internal and external security audits, and the\nimplementation of a new confidentiality notice transferring custodial responsibilities for\nprotecting PII. SSA should continue to pursue its efforts to protect data extracts involving PII.\n\n\n\n\n6\n    OMB M-06-16, supra at page 1.\n7\n    Id.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nOur assessment showed that SSA has taken a number of steps to comply with OMB\nMemorandum M-06-16 requirements and has made progress in the protection of the PII. SSA\nhas initiated projects to encrypt all laptop computers and mobile devices and has issued a\nreminder to its employees to remind them of their responsibilities to properly safeguard PII\nentrusted to them. SSA has also created a web page Safeguarding Personal Information, where\nPII is defined and PII protection issues are discussed. However, there are a few areas in the\nprotection of remote PII that need to be addressed. To fully comply with OMB M-06-16, we\nrecommend SSA:\n\n   1. Revise and consolidate Agency policy to better protect PII;\n\n   2. Continue to investigate methods to encrypt PII stored off-site and implement\n      technologies that meet recommended NIST standards;\n\n   3. Complete on-going projects to encrypt all mobile computers and devices;\n\n   4. Implement stronger authentication solutions for OWA; and\n\n   5. Continue efforts to log and protect data extracts involving PII per NIST standards.\n\n\n\n\n                                                   S\n                                                   Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                           Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                            Appendix A\n\nAcronyms\nDCI        Data Collection Instrument\nFIPS       Federal Information Processing Standards\nFISMA      Federal Information Security Management Act of 2002\nISSH       Information Systems Security Handbook\nNIST       National Institute of Standards and Technology\nOMB        Office of Management and Budget\nOSSF       Off-site Storage Facility\nOWA        Outlook Web Access\nPII        Personally Identifiable Information\nSP         Special Publication\nSSA        Social Security Administration\nVPN        Virtual Private Network\n\x0c                                                                                         Appendix B\n\nScope and Methodology\nThe following is taken from the review guide developed by the President\xe2\x80\x99s Council on Integrity\nand Efficiency/Executive Council on Integrity and Efficiency.\n\nVarious laws and regulations have addressed the need to protect sensitive information held by\ngovernment agencies including the Federal Information Security Management Act (FISMA), the\nE-Government Act of 2002, the Privacy Act of 1974, and the Office of Management and\nBudget\xe2\x80\x99s (OMB) Circular A-130, Management of Federal Information Resources. FISMA\nrequires agencies to have a security program and controls for systems to protect their sensitive\ninformation. 1\n\nFISMA also requires agencies to implement standards and guidelines developed by the National\nInstitute of Standards and Technology (NIST). 2 Relevant standards are:\n\n       \xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n           Categorization of Federal Information and Information Systems, February 2004;\n\n       \xe2\x80\xa2   FIPS Publication 200, Minimum Security Requirements for Federal Information and\n           Information Systems, March 2006; and\n\n       \xe2\x80\xa2   FIPS Publication 201, Personal Identity Verification of Federal Employees and\n           Contractors, February 2005.\n\nAdditional guidance on protecting PII and other sensitive information is described in NIST\nSpecial Publication (SP) 800 series. Among them, SP 800-53, Recommended Security Controls\nfor Federal Information Systems, provides key criteria for assessing compliance with FISMA\nrequirements. This guidance forms the basis for the OMB Memorandum M-06-16 Security\nChecklist covering protection of remote information. OMB\xe2\x80\x99s memorandum conveys the intent\nof implementing the checklist and specific recommended actions to be taken by Federal agencies\nfor the protection of sensitive information to compensate for the lack of physical security\ncontrols when information is removed from, or accessed from outside the agency location. 3\nThe following documents were considered with this review:\n\n       \xe2\x80\xa2   OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy\n           Provisions of the E-Government Act of 2002, September 2003;\n       \xe2\x80\xa2   OMB Memorandum M-03-18, Implementation Guidance for the E-Government Act\n           of 2002, August 2003;\n\n\n1\n    Public Law 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3541.\n2\n    Public Law 107-347, Title III, Section 302, 44 U.S.C. \xc2\xa7 11331.\n3\n    OMB Memorandum M-06-16, Protection of Sensitive Agency Information, page 1, June 23, 2006.\n                                                    B-1\n\x0c   \xe2\x80\xa2   OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n       Information and Incorporating the Cost for Security in Agency Information\n       Technology Investments, July 2006;\n   \xe2\x80\xa2   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information,\n       May 2006;\n   \xe2\x80\xa2   OMB Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal\n       Information Security Management Act and Agency Privacy Management, July 2006;\n   \xe2\x80\xa2   FIPS 199, Standards for Security Categorization of Federal Information and\n       Information Systems, February 2004;\n   \xe2\x80\xa2   FIPS 200, Minimum Security Requirements for Federal Information and Information\n       Systems, March 2006;\n   \xe2\x80\xa2   NIST SP 800-53, Recommended Security Controls for Federal Information Systems,\n       February 2005;\n   \xe2\x80\xa2   NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information\n       Systems (Second Public Draft), April 2006;\n   \xe2\x80\xa2   NIST SP 800-60, Guide for Mapping Types of Information and Information Systems\n       to Security Categorization Levels, June 2004;\n   \xe2\x80\xa2   Public Law 107-347, E-Government Act of 2002, Titles II and III;\n   \xe2\x80\xa2   OMB Circular A-130, Management of Federal Information Resources, November 2000;\n       and\n   \xe2\x80\xa2   The Privacy Act of 1974; 5 U.S.C. 552a.\n\nTo meet our objectives, we interviewed appropriate Agency staff and reviewed relevant Agency\npolicies and procedures and controls documentation. We completed our work in August and\nSeptember 2006 in accordance with the review guide developed by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency/Executive Council on Integrity and Efficiency.\n\n\n\n\n                                             B-2\n\x0c                                                                               Appendix C\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audit Division\n   (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Grace Chi, Auditor-in-Charge\n\n   Mary Ellen Fleischman, Senior Program Analyst\n\n   Harold Hunter, Senior Auditor\n\n   Evelyn Chao, Auditor\n\n   Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218. Refer\nto Common Identification Number A-14-07-27068.\n\x0c                             DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of Representatives\nChairman and Ranking Minority Member, Committee on Government Reform and Oversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\n Representatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services,\n Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"